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TO: 


EXECUTIVE OFFICE OF THE PRESIDENT 
OFFICE OF MANAGEMENT AND BUDGET 
WASHINGTON. D.C. SOSOS 

September 16, 1985 

LEGISLATIVE REFERRAL MEMORANDUM 


Legislative Liaison Officer 


cirri' 

i L l 





Department of Ccrrmerce - MiXe Levitt (377-3151) 
General Services Adranistration -Xlted Pbert (566-1250) 
Central Intelligence Agency (s 


SUBJECT: DCD testimony on H.R. 2889, the "Computer Security Research and 

Training Act of 1985" 


The Office of Management and Budget requests the views of your agency 
on the above subject before advising on its relationship to the 
program of the President, in accordance with 0MB Circular A-19. 

A response to this request for your views is needed no later than 

NOCN, TUESDAY, SEPTEMBER 17 y 1985 


Questions should be referred to Constance J. Bowers (395-3457), the 
legislative analyst in this office. 



James (/. Murr Wr ^ 
Assistant Director for 
Legislative Reference 


Enclosures 

cc: Ed Springer Kevin Sheid Russ Neely 
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statement 

»Y 

DOMALD C. LATHAM 
ASSISTANT SSCKETAJtY OF DEFENSE 
COMMAND, CONTROL, COMMUNICATIONS, AND INTELLIGENCE 

AMD 

CHAIRMAN 

NATIONAL TELECOMMUNICATIONS AND INFORMATION SYSTEMS SECURITY 

COMMITTEE 

, CONCERNING H.R. 2089 
BEFORE THE 
SUBCOMMITTEE 

OM LEGISLATION AND NATIONAL SECURITY 
COMMITTEE ON GOVERNMENT OPERATIONS 
UNITED STATES HOUSE OF REPRESENTATIVES 
SEPTEMBER 18, 1985 



ire 
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£ 0 / 91/60 


. o^ir-n and of th. .uboo-ittaa. 


Th.nx you f^4>5S2S? a 3 S&S."U ~ SS‘ 

sa ifs^jsart ssfs. 

r.M*rch t SinS5 ^ Fo"«*l Employe.. Who are involvd 

•l*o providing for th* tr.inin*^ automated Inf oration 

in th. «*n.9*«*nt» °^x^t« of thi* .Uboommitt.e «r« to be .ppl.ud.d 
(AIS) *y*t*m*- Uportanoa of th. 

•• ^ cmrri- : °“ t .tcutUvprobl.mtothi. nation and con.id.r. 

n5S: r .2K“? ULS »»1« oo^r.h.n.1.. « Bi. 

complex ieaue. 

To,..,, i ~ ? w ““ “ £:.ss;i“.. 

intont .nd <,v * rll lS ! h f»^iitMt Kcr.tary of D.f*n*« for 

SJ2nS?*io”rol (otSbc ) . 

nt^Jr^bl.^. ^li d rlSiring >V tl«ifio.n” 1 .o 8 

•»m Of potent ialcenfuaionin^th.^bi pregraro ,. 

EnSuy^^SvfiSSud" in my testimony auggaatad r.vi.ion. to th. 
JiU & your e.r.ful review »A .otion. 

rir.t, I ^l? h ^ r ^J 1 Ln^?? r in t ih. 9 IrI“if i Wut« 
to provid. for 4 Ai X to oft.n thi. 1* an area *or.ly 
..ourity training tnfl • A d b.cua. It i* not glamorou. • Ala®, 
overlooked and poorly f undeab^^^ .v.t.m ..ourity problem i* 

u you ar. all too aware. the oojputar - are made all th. more 

extremely complex and *olu one in tha .tata-of-tha-art . 

difficult by continuingrapidadvano^d * h# prolif *ra tion of local 

Th. emerging u.a of ■ u P** e ?*£)L >laa 0 f technology that make th. 
area network. ara but two axaajpias or uacnno £acad 

oomputar .yatam. *?‘ U ![^ T .^ 0 4. aoopa and aaaoeiatad WD in tha 
now. Tha problem ie immenee iJn aoop highly qualifiad and 

ara. is totally inadequat.^ ascur ity aggravat.a th. 

^KJ. pr w”«tot « w» «.i« i. thi. »• «•“* 

waleome. 

in this regard. I view H.B. 2889 a. a Po-i^ » chi#v * 

Bur.au of Standard, ha. for ^“r.y.tenTa.curity . It i. 
.xparti.a In ertain facet . P . *!»• his b. tapped to take on 

entirely w*opriate, therefor . tha tuHCC h .nd related 

additional r.apon.ibiliti.* «J ^ vlo|tly oav#at « y 

activitia. a. reiterated f_ . truly effective. these additional • 
comment, by saying that. t , . . n th. oont.xt of on-going 

BBS effort. BU,t . «f U 5v^oh £.11 under Mational ».curity D.ciaion 


cvn/YTfYT 


6£:frT 


CB^T/60 
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M Chair nan of th. MTI88C, 1 viaw as ons of my *oy rs.pon.i- 
bilitUo«*lng iur« th. problem of oomput.r ..curity i. 

6iutl “ "I* muniio It-l.r«. a. on important notional ioouo. 

“Su » s^rLv. *>■» i. «>. ,... 

!! wars oot proparly ©rganiaad. Tho MTIS8C otructuro now 
in baina providoo thot organisation ond wo oro moving ohood with on 
SoSwlvS owinn.^ prog?« in oonc.rt with similar initiotivo. 
boing oorriod out by tho MBS. 

At it. loot Mooting on 4 Soptonb.r 1985. tho SUbconmittoo on 
Automatsd Information Syotom. oocurity (8AXS8). ono of tho two 
Mjor !ubcommittsas of tho MTI8SC. approved for ioouonoo to tho 
m>Tcnr m nroDO.nl to raquir. odueotlon ond training of fodorol 
SSJ5«ln?r«S .g*n«T5S-t oxpoct th. MTlSSC to taka up this 

EZtZlll cSp«tor Soourity Contor CNCSC) at tho Motional *• curity 
Koney (MSA) h.. hogun dovalopmont of training eourooo in 
■3. tom. oocurity for a Dob-oponoorod awaronoo. program. Tho VC6C 
will provido notorial, to othor govornmont. dopartmont. and agoncio. 

{ or ^ awar.no! .^raining . Of courSo. funding for ouch training 

rsaourco* ramains a prooiam. 

S r.qu..t. Jor pr~ury.r,t.or .CffUlU;;.; 

• *„ V# are in the process of Issuing a Standard entitled* oou 
Also# w# ara xn w P ^valuation Criteria", heraafter rafarrad to 

II U &! cSwK! to - a.sl.t In avaluating th. offctiv.n... of safe- 

4 .vm £«-it*rla on an interim one-year trial oaaia* rmtuy, 

DoD la undartafcing an anbitioua computer vulnerability reporting 
?i£d at corracting aocurlty wsaknaasas in DoD computer 
systems* ^This affort should also bo vary uoofui for dosignlng a 
national roporting program. 

m mv tostinony for Mr. Qliekman, Chairman of tho Subcommittee 

s. s.*“~ •«»* 

with MBS playing a major rolo. 

tot mo roitorato that MSDD-145 doss not eovor unclassified but 
sonoitlvo non-national soeurity-rolatod informationandthor.for.^ 

4 + in no mv restricts, control*# or managa* the activities or otnar 

fadaral departments or aganciaa Who have r# ?^ ons f b ^^ i ?!! 1 i n e ?2ar 
national security-related araaa. Xn order to maintain this olaar 
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maaaroation 11 m# language in H.R. 2689 making r«fir«nc« to "eensi- 
tivc" iofomtion should bi amended to reflect that "unclassified 
but sensitive non-national security ^related" data is the subject 
data in qua* t Ion. 


On ths matter of raaaarch and davalopaant (RAD) responsibilities# 
tha MBS has a well -developed program in tha araa of conputar ayatama 
aacurity. Tha HBfi darivaa ita raaponaibllltlaa from tha Brooka Act 
of 1965 (9.1. 89-306)# # tha Privacy Act of 1974 (P.L. 93-579)# and 
tha Paperwork Reduction Act of 1980 (P.L. 96-511). Me view thaaa 
reaponaibilitiae aa diatinot both in Intant and focua from thoae 
oitad in BBDD-145. Again, BSDD-145 addraaaaa only unolaaalfiad but 
aanaitiva national aaourity-ralatad and doaa not covar unolaaalfiad 
but aanaitiva non-national sacurlty-ralatad information. Nora 
dlractly# privacy information, information on fraud# waste* and 
abuse# or proprietary data held by an agency la not oovered by 
BSDD-145 dictates • 


Let me quickly add that we don't intend to meddle in BBS 
authorities or responsibilities in theae areas. Rather, ve aaa 
the BBS efforts and those of other federal agencies under B6DD-145 
aa complementary and supportive of each other. Clearly, technical 
measures and techniques can apply squally well in many circumstances 
and teohnioal interaction must be encouraged. 

Indicative of the strong ourrent relationahip between the BBS 
and the DoD, is the high-level of cooperation between the BBS and 
the Bational Computer Security Center at B8A Which is already 
impressive and growing. Specifically# they have jointly sponsored 
for the past eight years a Bational Conputar Security Conference. 
This year's conference# scheduled from 29 September 1985 to 3 
October 1985, will focus on mutual subjects of concern such as 
seoure networks, verification, labelling# a profile of "hackers"# 
and data base management security to name just a few. It will be 
attended by business# academia and government and allows for 
critical transfer of the results of the Bational Computer Security 
Center research and the BBS research throughout government and the 
private sector. 

Important work is proceeding between BBS and the BCSC in ths 
area of personal computers and office automation. In this regard# 
a Guideline on Password Management is being published by the BCSC 
and will become an appendix to the BBS Password Usage Standard 
already in existence. Additionally, the BBS has done impressive 
work in micro-oomputer and mini -computer systems security Which 
the BCSC is using. As a final example# BB8 and the BCSC is sponsor- 
ing a symposium on risk analysis to examine methodologies of mutual 
benefit. Again, these efforts represent the high degree of inter- 
action between these two centers of expertise. 

This cooperation must continue. However, the federal audiences 
for their respective services is different. The BCSC's target audi- 
ence is the Bational Security Community whils BBS services the 


*00 T00-DN arvaoa 
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««-*« <«n « ; « «» 

:y£rur.t~^ ^ 

civilian Thi» tkTTMqmmmnt nil *or*#a j 

th« past mnd »u*t b# prM#rv#d. 

r. t M add that the ms has taken an aot lva role in th« 

s?5£s£ «! «-• 

s,SL,ss‘««r~u. -‘^rsr^UJc. . m - 

eduoation • 

ra.poMibiu“i.rmDD-145 h raiulra. that BBS J°r ;«8SC 

SHriSSuXiS 2?U“ Si y «~cS^ .t«a.«i. «.~i*t.< to 

2S23 ttourlty K. STSS'^X® - ml f...- 

cipated that, Fadaral * B *?.?* k t v_ « lrat a ueh standard processed 

JS5!r°tJ2*»tMSe*«Iieiori l b.?.«.« It »" hwllcttloi. to both both 

SSuoS<>Sw« olottmoa prooo.tlhf Ohtlroimonto. 

“ r-s^s s: snfts’^ k;“»ss iis»s.iir, 

2uS‘S5iToS t SK. »hioh. i f.i. «»'« *«■ t" 1 - 

■ tional clarification . 

* **,# u a last rafarsnoa la smde to *eeneitlve" 
First, “W* ^J^JinSd » md -s.nsitivs unclasei- 

tioa* as us ad on pags 3 * 00 . 18 lb) !*)• 

dJrt^claarly’sat fort^tha^H'. R.*2BB9°doaa iot cask to Iwpaet 

SSniatration efforts undsr ’The 

following bs Insert . .. * unaartakan in oonsonanca with those 

following ms program shall bs^und^^k^^ £ ltn#ftt#d ln national 

•aeurity K.tSi McuritJ.- This important 

cations • B ®*“t^es d overlaj^of reeponsibilitles between the 
S2J«S2St S SSSrorSnd tha DapaHmant of Dsfsns. and racogniaas 
thSt Sth progrwV are eomplamantary and supportiva. 

in closing, 1st me allay tha ° 

HSDD-14S doas ln soma way, shape, or form restrict currant » 
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WSDD-145 


* ^ «n. '*ir..dy 

and eooplaaantary afforta. 

Computar systams saourity is t major ehtll«ngt that nssds 
ah tha avaiiabla brainpowar and rasourcaa this nation can muatar. 
t. much, lot's nova ahaad togathar in tha spirit of harmony and 
oooparatlon# not oompatition. 1 faal H.R. 2869# with tha 
racoamandad changaa I proposad# ia a positiva stap in fostaring 
this spirit of oooparatlon. 


Acoonpanying m is Nr. Hobart Rich, Daputy Diractor# MBA, Who 
will furthar dascrlba tha actlvitias of tha Coqputar Baourity 
Cantar and othar programs now bsing oarriad out by USA in tha araas 
of conqputar systams sacurity awaranass# aduoation# training# and 
rasaarch and davalopmant. 


Mr. Chairman# this concludas my praparad ramarks . I would 
ha happy to answar any qua at ions that you or tha Bubcoumlttaa 
hava* 


twvon savacw zpw 
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